diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-08-20 16:15:37 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-20 16:15:37 +0200 |
commit | 26361076d2b4136dae9ba426c486430002b6e9ac (patch) | |
tree | fcc5be19c276aaadb6e306589eaa65cb15e60027 | |
parent | d247bc04b765a92c973ef93d94f8955312fdc13c (diff) | |
parent | c0f5d00d92667f2a45896180cd05747c3ba82782 (diff) | |
download | vyos-1x-26361076d2b4136dae9ba426c486430002b6e9ac.tar.gz vyos-1x-26361076d2b4136dae9ba426c486430002b6e9ac.zip |
Merge pull request #1481 from sever-sever/T4597
ocserv: T4597: Fix check bounded port by service itself
-rw-r--r-- | python/vyos/util.py | 23 | ||||
-rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 5 |
2 files changed, 27 insertions, 1 deletions
diff --git a/python/vyos/util.py b/python/vyos/util.py index b86b1949c..c1459f02a 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -471,6 +471,29 @@ def process_named_running(name): return p.pid return None +def is_listen_port_bind_service(port: int, service: str) -> bool: + """Check if listen port bound to expected program name + :param port: Bind port + :param service: Program name + :return: bool + + Example: + % is_listen_port_bind_service(443, 'nginx') + True + % is_listen_port_bind_service(443, 'ocservr-main') + False + """ + from psutil import net_connections as connections + from psutil import Process as process + for connection in connections(): + addr = connection.laddr + pid = connection.pid + pid_name = process(pid).name() + pid_port = addr.port + if service == pid_name and port == pid_port: + return True + return False + def seconds_to_human(s, separator=""): """ Converts number of seconds passed to a human-readable interval such as 1w4d18h35m59s diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index a3e774678..240546817 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -25,6 +25,7 @@ from vyos.template import render from vyos.util import call from vyos.util import check_port_availability from vyos.util import is_systemd_service_running +from vyos.util import is_listen_port_bind_service from vyos.util import dict_search from vyos.xml import defaults from vyos import ConfigError @@ -77,8 +78,10 @@ def verify(ocserv): if ocserv is None: return None # Check if listen-ports not binded other services + # It can be only listen by 'ocserv-main' for proto, port in ocserv.get('listen_ports').items(): - if check_port_availability('0.0.0.0', int(port), proto) is not True: + if check_port_availability('0.0.0.0', int(port), proto) is not True and \ + not is_listen_port_bind_service(int(port), 'ocserv-main'): raise ConfigError(f'"{proto}" port "{port}" is used by another service') # Check authentication if "authentication" in ocserv: |